ce2cad55ad1375a33a0d15370050913d305ec2d686798441a47d5b2fd1f6f476

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 06:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

21a5d745fc87655508193bb65d1a7e70_NeikiAnalytics.exe
Size

2.2MB
MD5

21a5d745fc87655508193bb65d1a7e70
SHA1

40810c281a29762fb991bdc97059012e311ed229
SHA256

ce2cad55ad1375a33a0d15370050913d305ec2d686798441a47d5b2fd1f6f476
SHA512

3568ad285ae144d4a6d1ad008d95d54b15d9306fa07d542173cfab0266bcdc51df108633f24988746639258889a121d62f499d356e7d0a14cdb61b9dd6d18ef1
SSDEEP

49152:MXKgbSUIxUCG4LNcDYH8Grkl5Dm8E0jD8T:8JcUQLUGrupm8ECD8T

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	21a5d745fc87655508193bb65d1a7e70_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
968	irsetup.exe

Loads dropped DLL 1 IoCs

pid	Process
968	irsetup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002340a-5.dat	upx
behavioral2/memory/968-14-0x0000000000070000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/968-23-0x0000000000070000-0x0000000000458000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
968	irsetup.exe
968	irsetup.exe
968	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 968	1584	21a5d745fc87655508193bb65d1a7e70_NeikiAnalytics.exe	82
PID 1584 wrote to memory of 968	1584	21a5d745fc87655508193bb65d1a7e70_NeikiAnalytics.exe	82
PID 1584 wrote to memory of 968	1584	21a5d745fc87655508193bb65d1a7e70_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\21a5d745fc87655508193bb65d1a7e70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\21a5d745fc87655508193bb65d1a7e70_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\21a5d745fc87655508193bb65d1a7e70_NeikiAnalytics.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-540404634-651139247-2967210625-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
memory/968-14-0x0000000000070000-0x0000000000458000-memory.dmp

Filesize
3.9MB

Download
memory/968-23-0x0000000000070000-0x0000000000458000-memory.dmp

Filesize
3.9MB

Download